Security

EESecurity & Technology SolutionsSecurity & Technology Solutions

Security StrategyAn Overview

January 22, 2003

Security StrategyAn Overview

January 22, 2003

2 EESecurity & Technology SolutionsSecurity & Technology Solutions

Digital Risk is a Component of Enterprise Risk

Areas of digital risk in your organization include:

Effective and efficient control environment

Security and availability of digital information

System privileges and access controls

Disruption from intrusions or viruses

Threats to business continuity

IT Dept.

Customers

Business Partners

Management

Shareholders

Business Initiatives

CEO, CIO, CFORisk Officer

General Counsel

Board ofDirectors

AuditCommittee

EffectivelyManage Risk

Establish Trust

Enhance or Manage Brand

Regulators

Employees

ORGANIZATIONAL GOALS

DECISION MAKERS

STAKEHOLDERS

“Digital risk is the exposure to loss or damage from the reliance upon information technology to achieve organizational goals.”


Security is a Critical Component of the Digital Risk Agenda


Rudy Giuliani’s Call to ActionRudy Giuliani’s Call to ActionThe time has come for senior executives of U.S. corporations to follow the President's lead and make security a mainstream business critical, board-level issue…the time when security-related decisions could be left to persons at a mid-manager level or decided solely upon budgetary considerations has passed. Senior executives must now take the steps to plan, prepare and practice to address their organizational security threats and challenges.

The time has come for senior executives of U.S. corporations to follow the President's lead and make security a mainstream business critical, board-level issue…the time when security-related decisions could be left to persons at a mid-manager level or decided solely upon budgetary considerations has passed. Senior executives must now take the steps to plan, prepare and practice to address their organizational security threats and challenges.


What is the Digital Frontier?What is the Digital Frontier?The digital frontier is the forward edge of technological impact with respect to organizations’ usage of technology and their reliance upon it for productivity improvements.

The digital frontier is the forward edge of technological impact with respect to organizations’ usage of technology and their reliance upon it for productivity improvements.

Relianceon IT

Relianceon IT

HighHigh

LowLowLowLow HighHighIT UsageIT Usage

ProductivityImprovementProductivityImprovement

MobileMobile

InternetInternet

Client/ServerClient/Server

1970s1970s 1980s1980s 1990s1990s 2000s2000s

MFMF


Increase Security RisksIncrease Security RisksAs organizations invest for productivity improvement to the edge of digital frontier they also encounter increased security risks via a greater impact of and probability of technology failures.

As organizations invest for productivity improvement to the edge of digital frontier they also encounter increased security risks via a greater impact of and probability of technology failures.

HighHigh

LowLowLowLow HighHigh

1970s1970s 1980s1980s 1990s1990s 2000s2000s

MobileMobile

InternetInternet

Client/ServerClient/Server

MFMF

Impact of Failure

Impact of Failure

Increased Risk

Increased Risk

Probability of Failure



The Security FrontierThe Security Frontier

ProductivityImprovement/Increased Risk

ProductivityImprovement/Increased RiskReliance on IT

Impact of FailureReliance on IT

Impact of Failure

HighHigh

LowLowLowLow HighHighIT Usage

Probability of FailureIT Usage


1970s1970s 1980s1980s 1990s1990s 2000s2000s

The digital frontier and corresponding security risk combine to create a new frontier. We call this the security frontier.The digital frontier and corresponding security risk combine to create a new frontier. We call this the security frontier.


The Digital Security GapThe Digital Security GapCaught up in the pursuit of productivity improvements, management apparently overlooked security.Caught up in the pursuit of productivity improvements, management apparently overlooked security.

TotalSpending

TotalSpending

HighHigh

LowLow

1990’s1990’s 2000’s2000’sTimeTime

Total Security SpendingTotal Security Spending

Total IT Spending

Total IT Spending

DigitalSecurity

Gap


Threats & Gaps are RealThreats & Gaps are Real

Al-Qaeda members…are trying to hack into American computers that control water, electrical and communications facilities including 911 networks in at least 30 municipalities.

Technologist say U.S. business are not prepared for a major cyberattack, according to a July study by the Business Software Alliance. .

Al-Qaeda members…are trying to hack into American computers that control water, electrical and communications facilities including 911 networks in at least 30 municipalities.

Technologist say U.S. business are not prepared for a major cyberattack, according to a July study by the Business Software Alliance. .

Sept. 16, 2002Sept. 16, 2002

Sept. 9, 2002Sept. 9, 2002


Prepare to defend the digital frontier by…

And then, create a highly effective digital security program.

Prepare to defend the digital frontier by…

And then, create a highly effective digital security program.

Closing the GapClosing the Gap

Determining where your organization is relative to the frontier

Establishing responsibilities

Defining priorities

Understanding threats and vulnerabilities

Determining where your organization is relative to the frontier

Establishing responsibilities

Defining priorities

Understanding threats and vulnerabilities


6 Key Security Characteristics6 Key Security Characteristics6 Key Security Characteristics6 Key Security Characteristics


1) Aligned1) Aligned

BusinessObjectivesBusiness

Objectives

DigitalAssetsDigitalAssets

ITOrganization

ITOrganization

DigitalSecurityDigital

Security

Aligned

Aligned

The attainment and maintenance of appropriate alignment between digital security, the IT organization, digital asset and business objectives.

The attainment and maintenance of appropriate alignment between digital security, the IT organization, digital asset and business objectives.

The distance between the top levels of management and the security team is known as the Security Management Gap.

The distance between the top levels of management and the security team is known as the Security Management Gap.

79% of respondents in the 2002 Ernst & Young Digital Security Overview survey indicated that the documentation, implementation, and follow-through cycle for their information security policies was not being carried out completely.


2) Enterprise-Wide2) Enterprise-Wide

CorporateCorporate

A holistic view of the security needs for the entire organization, as well as its extended enterprise, to ensure consistent, efficient deployment. Critical authority is given to a centralized body to ensure consistently highly effective security throughout the organization.

A holistic view of the security needs for the entire organization, as well as its extended enterprise, to ensure consistent, efficient deployment. Critical authority is given to a centralized body to ensure consistently highly effective security throughout the organization.86% of companies surveyed have intrusion detection systems in place. However, of those companies, only 35% actively monitor 95% to 100% of their critical servers for intrusions.


3) Continuous3) Continuous

Real-time monitoring and updating of all security policies, procedures, and processes to ensuring a timely response to issues and opportunities.

Real-time monitoring and updating of all security policies, procedures, and processes to ensuring a timely response to issues and opportunities.

46% of respondents indicated that they use manual or partially automated methods of tracking physical assets as opposed to fully automated methods.

Not occasionally. Not periodically.

Continuously.Continuously.

Not occasionally. Not periodically.

Continuously.Continuously.


4) Proactive4) Proactive

Initial AssessmentInitial AssessmentOngoing MonitoringOngoing Monitoring

Periodic AssessmentPeriodic Assessment

HighHigh

RiskIntelligence

RiskIntelligence

LowLow

TimeTime

ProactiveProactive

TraditionalTraditional

The ability of a security program to be able to effectively anticipate potential threats and vulnerabilities and to maintain the confidentiality, integrity, and availability of these digitally.

The ability of a security program to be able to effectively anticipate potential threats and vulnerabilities and to maintain the confidentiality, integrity, and availability of these digitally.Only 16% percent of respondents have wide-scale deployment of vulnerability tracking mechanism, and knowledge of all critical information vulnerabilities.


5) Validated5) Validated

PeerPeer

3rd Party3rd Party

SelfSelf

To a UnitTo a Unit

To a Business Objective

To a Business Objective

To a Standard

To a Standard

Rigor of ValidationRigor of Validation

DeployedDeployed

ValidatedValidated

TestedTested

Achieving highly effective digital security requires third-party validation of critical security components and business objectives.

Achieving highly effective digital security requires third-party validation of critical security components and business objectives.

66% of respondents indicated that their information security policies are not in complete compliance with the domains defined by ISO 17799, CISSP, Common Criteria, or other recognized models.


6) Formal6) Formal

Doc

umen

ted

Doc

umen

ted

MinimallyMinimally HighlyHighlyConfirmedConfirmed

Min

imal

lyM

inim

ally

Hig

hly

Hig

hly

Documented

Documented

Formal

Experienced-

based

Experienced-

basedSitu

ational

Situatio

nal

Policies, standards, and guidelines, which provide fundamental direction on digital security issues and are endorsed by senior staff. To be formal, they must be documented and tested, then communicated to every member of the organization.

Policies, standards, and guidelines, which provide fundamental direction on digital security issues and are endorsed by senior staff. To be formal, they must be documented and tested, then communicated to every member of the organization. 13% of respondents have integrated business continuity and disaster recovery plans that address recovering the entire enterprise. 7% indicated they have no documented plans in place.


Technology and Business Objective Drives RequirementsTechnology and Business Objective Drives Requirements

ImpactImpact

HighHigh

LowLow

LowLow HighHighProbability of FailureProbability of Failure

Minimum Standards Zone

Security Requirements ZonesSecurity Requirements Zones

InformationKiosk

Managed Risk ZoneManaged Risk Zone

Trusted System ZoneTrusted System Zone

Bank ATMBank ATM Health CareSystem

Health CareSystem Financial

SystemFinancialSystem

ElectricalPower

ElectricalPower

eCommerceSystem

eCommerceSystem

PublicWeb Server

PublicWeb Server

EmailServerEmailServer


The Security AgendaThe Security AgendaThe Security AgendaThe Security Agenda


9 Strategic Areas of “The Security Agenda”9 Strategic Areas of “The Security Agenda”

SecurityStrategySecurityStrategy

Policies, Standards, & Guidelines

Intrusion & Virus Detection

Incident Response

Physical Security

Privacy



Incident Response

Physical Security

Privacy

Asset & Service Management

Vulnerability Management

Entitlement Management

Asset & Service Management



Business ContinuityBusiness Continuity


Complex Organizational TransformationComplex Organizational Transformation

TECHNOLOGYTECHNOLOGY

PROCESS

PROCESSPE

OPL

EPE

OPL

EAll 3

Components Needed

All 3 Components

Needed


Intrusion

and Virus

Detection

Intrusion

and Virus

Detection

DatabaseDatabase

RouterRouter

FirewallFirewall

Web

Server

Web

Server

SNMPSNMP

BiometricsBiometrics

ApplicationApplication

Operating

System

Operating

System

Intrusion and Virus DetectionIntrusion and Virus Detection


Incident

Response

Program

Incident

Response

Program

Mobilize AdministerEvent

Lifecycle

Event

Lifecycle

Program

Lifecycle

Program

Lifecycle

Incident ResponseIncident Response


Independent VerificationService Provider ComplianceData Registration

Independent VerificationService Provider ComplianceData Registration

Ongoing Monitoring

Re-certification

Ongoing Monitoring

Re-certification

Stakeholder Expectations

Legislation Organization

Stakeholder Expectations

Legislation Organization

Remediation Plans Training

Remediation Plans Training

Benchmarking/Roadmaps

People

Policies

Operations

Technology

Benchmarking/Roadmaps

People

Policies

Operations

Technology

VERIFYVERIFY

MAINTAINMAINTAIN

IMPROVEIMPROVE

DIAGNOSEDIAGNOSE

BASELINEBASELINE

PrivacyPrivacy


Policies, Standards

and Guidelines

Policies, Standards

and Guidelines

Policies, Standards, and GuidelinesPolicies, Standards, and Guidelines


Physical SecurityPhysical Security

PHYSICALSECURITY

Fences, Walls, GatesGuards, Cameras

Biom

etrics, Infrared,

Authentication, Surveillance

Bio

met

rics

, Inf

rare

d,

Aut

hent

icat

ion,

Sur

veill

ance

Structural

Pro

cedu

ral

Digital


TECHNOLOGYTECHNOLOGY

PROCESS

PROCESSPE

OPL

EPE

OPL

EC

able

an

d C

ircu

it

Portfolio

Fin

ancial

ProcurementContracts

Management and Track Assets

Automate Processes

Management and Track Assets

Automate Processes Manage Asset Financial

Information

Budget AnalysisM

anage Asset Financial

Information

Budget AnalysisMan

age

Conn

ectiv

ityan

d Ca

ble

Plan

t

Man

age

Conn

ectiv

ityan

d Ca

ble

Plan

t

Aid Decision-making

Streamline Processes

Aid Decision-making

Streamline Processes

Manage and Track

Contracts

Manage and Track

Contracts

ASSETMANAGEMENT

ASSETMANAGEMENT

Asset & Service ManagementAsset & Service Management


IT ProcessIT Process

CFO

Team

CFO

Team

Expanding controlExpanding control

IT Audit

Team

IT Audit

Team

CIO

Team

CIO

Team

Security

Team

Security

Team

AccountabilityAccountability

DeploymentDeployment

KnowledgeKnowledge

Expanding scope over critical infrastructureExpanding scope over critical infrastructure

Technology & PeopleTechnology & People

Key

Assets

Team

Key

Assets

Team

Security

Systems

Team

Security

Systems

Team

Key

Assets

Team

Key

Assets

Team

Key

Assets

Team

Key

Assets

Team

Key

Assets

Team

Key

Assets

Team

Compliance

Audit Ability

Governance and Accountability

Compliance

Audit Ability

Governance and Accountability

All Critical

Infrastructure

All Critical

Infrastructure

Workflow/Tracking

Feasible Deployment

Know Critical Assets

Workflow/Tracking

Feasible Deployment

Know Critical Assets

Serve and

Protect Systems

Serve and

Protect Systems

Configurations

Policies

Alerts

Configurations

Policies

Alerts

Just

Protect

Systems

Just

Protect

Systems

Vulnerability ManagementVulnerability Management


Entitlement

Management

Entitlement

Management

Identity

Management

Identity

Management

Access

Management

Access

ManagementSecure Portals

Data Model

Metadirectory

Authentication Management

Secure Portals

Data Model

Metadirectory

Authentication Management

Single Sign-On

Access Control

User Management

Policy Management

Single Sign-On

Access Control

User Management

Policy Management

Entitlement ManagementEntitlement Management


DEFINE

DEFINE

AN

ALYZE

AN

ALYZE

DESIGN

DESIGN

IMPLEM

ENT

IMPLEM

ENT

Business

Continuity

Roadmap

Business

Continuity

Roadmap

Business

Impact

Assessment

Business

Impact

AssessmentThreat

and Risk

Assessment

Threat

and Risk

Assessment

Recovery

Strategies

Recovery

Strategies

Business

Continuity

Plan

Business

Continuity

Plan

Plan

Maintenance

Program

Plan

Maintenance

Program

Business ContinuityBusiness Continuity


A Scorecard for Evaluation & ActionA Scorecard for Evaluation & Action



Incident Response

Physical Security

Privacy Asset & Service

Management



Business Continuity



Incident Response

Physical Security

Privacy Asset & Service

Management



Business Continuity

Alig

ned

Alig

ned

Ent

erpr

ise-

wid

e

Ent

erpr

ise-

wid

eC

ontin

uous

Con

tinuo

usP

roac

tive

Pro

activ

e

Val

idat

ed

Val

idat

ed

Form

al

Form

al

High RiskHigh Risk Medium RiskMedium Risk Low RiskLow Risk


Service ManagementService Management

C E OC E O

Public, Media,Government Relations

Public, Media,Government Relations Security CommitteeSecurity Committee

PlanningPlanning ArchitectureArchitecture OperationsOperations MonitoringMonitoring

Security OfficerSecurity OfficerAsset ManagementAsset ManagementPhysical SecurityPhysical Security

Continuity PlanningContinuity Planning

Privacy OfficerPrivacy Officer

Business Requirements Education Formal Communications Governance Policies Project Management Risk Assessment

Requests for Proposals (RFP)

Standards & Guidelines Technical

Requirements/Design Technical Security

Architecture Technology Solutions

Incident Response Access Control/ Account

Management Investigations Standards/Solutions

Deployment Training & Awareness Vulnerability Management

Auditing Reporting Systems Monitoring Security Testing

Security Organizational FrameworkSecurity Organizational Framework


The Roadmap for SuccessThe Roadmap for SuccessThe Roadmap for SuccessThe Roadmap for Success


Executive management must understand Executive management must understand

Scenario-based simulations – Table-Top Exercises

The organizations response

Critical roles and responsibilities

Actions plans to minimize the effect of an incident

Monitor and test responses

Scenario-based simulations – Table-Top Exercises

The organizations response

Critical roles and responsibilities

Actions plans to minimize the effect of an incident

Monitor and test responses


Model and Define RiskEstablish consistent threat categories

Model and Define RiskEstablish consistent threat categories

Digital Impact/RiskDigital Impact/RiskDigital Impact/RiskDigital Impact/Risk

Risk toRisk toCustomer SegmentCustomer Segment

Risk toRisk toCustomer SegmentCustomer Segment

Risk to MultipleRisk to MultipleCustomersCustomers

Risk to MultipleRisk to MultipleCustomersCustomers

Chronic or SeriesChronic or Seriesof Inefficienciesof Inefficiencies

Chronic or SeriesChronic or Seriesof Inefficienciesof Inefficiencies

Core Process orCore Process orSystem ShutdownSystem ShutdownCore Process orCore Process or

System ShutdownSystem Shutdown

TacticalTacticalInefficienciesInefficiencies

TacticalTacticalInefficienciesInefficiencies

Dept. of HomelandSecurity Risk

Dept. of HomelandSecurity Risk

SevereSevere

HighHigh

Elevated

GuardedGuarded

LowLow11

22

3

44

55

GreenGreen

BlueBlue

Yellow

OrangeOrange

RedRed

Homeland

LevelHomeland

LevelCategory

LevelCategory

Level


Frequency of OccurrenceFrequency of Occurrence

HighHigh


Impact of OccurrenceImpact of Occurrence

Understand Risk Posture CurveUnderstand Risk Posture Curve

Low,1

Low,1

Impact Level

Impact Level

Guarded

,2

Guarded

,2Eleva

ted,3

Eleva

ted,3

High,4

High,4

Sever

e,5

Sever

e,5

Each of the 9 areas of the security agenda determine your risk posture, or how events will effect your organization

You risk posture changes as the environment and technology changes

Each of the 9 areas of the security agenda determine your risk posture, or how events will effect your organization

You risk posture changes as the environment and technology changes


The Fulcrum of ControlThe Fulcrum of Control

Impact of Occurrence


HighHigh



55

44

33

11

ImmediateAction

ImmediateAction

ROIDecisionROI

Decision

Fulcru

m o

f Contro

l

Fulcru

m o

f Contro

l

The ability to control & contain digital security incidents is the key to success

Management must determine this tipping point or fulcrum and use it to drive their focus

The ability to control & contain digital security incidents is the key to success

Management must determine this tipping point or fulcrum and use it to drive their focus

22


Forces Affecting RiskForces Affecting Risk

Every time technology is changed or deployed the risk posture curve moves

Management must recognize this and deploy security resources accordingly

Every time technology is changed or deployed the risk posture curve moves

Management must recognize this and deploy security resources accordingly



HighHigh



55

44

33

22

11

New or ChangedTechnologyNew or ChangedTechnology

RiskManagementRiskManagement


Manage Risk for a Competitive AdvantageManage Risk for a Competitive Advantage

Impact of Occurren

ce

Impact of Occurren

ce

HighHigh

LowLow

LowLow HighHighFrequency of OccurrenceFrequency of Occurrence

11

22

33

44

55

Company A

Company AIndustry

Industry

Maintaining digital availability when your competitors in your industry fail is critical for most companies long-term success

Maintaining digital availability when your competitors in your industry fail is critical for most companies long-term success


Security “Orbit of Regard”Security “Orbit of Regard”

CEOCEO

Products/Services

Products/Services

MarketShare

MarketShare

CustomerService

CustomerService

GrowthGrowth

DigitalSecurity

2000s

DigitalSecurity

2000s DigitalSecurity

1990s

DigitalSecurity

1990s

DigitalSecurity

1980s

DigitalSecurity

1980s

Security is a top executive issue

Today, companies will compete on being able to respond to a digital threat

Top executives must close the digital security gap.

Security is a top executive issue

Today, companies will compete on being able to respond to a digital threat

Top executives must close the digital security gap.


Highly Effective Security Cultures:Highly Effective Security Cultures:

are chief executive-driven

maintain a heightened sense of awareness

utilize a digital security guidance council

establish timetables for success and monitor progress

drive an enterprise-wide approach

are chief executive-driven

maintain a heightened sense of awareness

utilize a digital security guidance council

establish timetables for success and monitor progress

drive an enterprise-wide approach

The commitment of organization’s personnel to the principles of security will determine the success or failure of the digital security program.

The commitment of organization’s personnel to the principles of security will determine the success or failure of the digital security program.


For More Information…For More Information…

Mark Doll

Americas Director,

Security & Technology Solution

Ernst & Young LLP

Phone: 408-947-4981

E-mail: [email protected]

Web site: ey.com/security

Security Hotline: 800-706-2663

Mark Doll

Americas Director,

Security & Technology Solution

Ernst & Young LLP

Phone: 408-947-4981

E-mail: [email protected]

Web site: ey.com/security

Security Hotline: 800-706-2663

Security

Documents

Transcript of Security